WatchGuard has disclosed a vital out-of-bounds write vulnerability in its Fireware OS, enabling distant unauthenticated attackers to execute arbitrary code through IKEv2 VPN connections.
Designated CVE-2025-9242 underneath advisory WGSA-2025-00015, the flaw carries a CVSS 4.0 rating of 9.3, highlighting its potential for high-impact exploitation on Firebox home equipment.
Printed on September 17, 2025, and up to date two days later, this challenge impacts variations from 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, exposing hundreds of small and midsize enterprises to dangers like full system compromise.
WatchGuard, which secures over 250,000 organizations and 10 million endpoints, urges fast patching to mitigate threats from ransomware or different malicious actors concentrating on perimeter defenses.
The vulnerability resides within the IKE strategy of Fireware OS, which handles IKEv2 negotiations for cell customers and department workplace VPNs configured with dynamic gateway friends.
WatchGuard VPN Vulnerability
An attacker can ship crafted IKE_SA_INIT and IKE_SA_AUTH packets to set off an out-of-bounds write within the ike2_ProcessPayload_CERT operate, the place attacker-controlled identification knowledge overflows a 520-byte stack buffer with out adequate bounds checking.
Even deleted VPN configurations could go away residual vulnerabilities if static friends stay energetic, permitting pre-authentication entry over UDP port 500.
Safety researchers at WatchTowr Labs, crediting btaol for discovery, reverse-engineered the code by means of patch diffing between weak 12.11.3 and patched 12.11.4 variations, revealing a easy size examine addition because the repair.
This stack-based buffer overflow, a primitive courting again to 1996, persists in 2025 enterprise gear missing fashionable mitigations like PIE or stack canaries, although NX is enabled.
Exploiting CVE-2025-9242 includes fingerprinting the firmware model through a customized Vendor ID payload in IKE_SA_INIT responses, which embeds base64-encoded particulars like “VN=12.11.3 BN=719894” for simple identification.
Attackers then negotiate transforms similar to AES-256 and Diffie-Hellman Group 14 earlier than sending an outsized identification payload in IKE_SA_AUTH to deprave registers and hijack management circulate, resulting in a segmentation fault or ROP chain.
WatchTowr demonstrated distant code execution by chaining devices to invoke mprotect for stack execution, deploying reverse TCP shellcode that spawns a root Python interpreter, probably enabling filesystem remounts or BusyBox downloads for full shell entry.
Firebox units, typically the internet-facing boundary, amplify dangers; a breach might pivot to inner networks, knowledge exfiltration, or persistent backdoors in environments with out sturdy segmentation.
Mitigations
WatchGuard has resolved the difficulty in up to date releases: 2025.1.1 for the 2025 department, 12.11.4 for 12.x, 12.5.13 for T15/T35 fashions, and 12.3.1_Update3 for FIPS-certified 12.3.1, with 11.x now end-of-life.
Affected merchandise span Firebox households, together with T20 to M690 sequence, Cloud, and NV5/V fashions.
As a short lived workaround, organizations ought to safe IPSec/IKEv2 department workplace VPNs per WatchGuard’s KB article on entry controls, disabling pointless IKEv2 if attainable.
No in-the-wild exploits are confirmed but, however the unauthenticated nature and detailed public evaluation heighten urgency; customers should monitor logs for anomalous IKE site visitors and apply patches promptly to safeguard VPN concentrators serving as vital gateways.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
